Information About Installing Cisco VNMC and Cisco VSG

This chapter presents an example of an effective way to install and set up a basic working configuration of the Cisco VNMC and Cisco VSG. The example in this chapter uses the OVF template method to install the OVA files of the software. The steps assume that the Cisco Nexus 1000V is up and running and endpoint VMs are already installed.

Cisco VSG and Cisco VNMC Installation Planning Checklists

Planning the arrangement and architecture of your network and equipment is essential for successful operation of the Cisco VNMC and Cisco VSG. This section provides some planning and information checklists to assist you in installing the Cisco VNMC and Cisco VSG.

Table 2-2 Preparation of the Cisco Nexus 1000V Series Switch for Further Installation Processes

Item

Requirement

Your Information

1

Two VLANs that are configured on the Cisco Nexus 1000V Series switch uplink ports: the service VLAN and an HA VLAN (the VLAN does not need to be the system VLAN)

2

Two port profiles that are configured on the Cisco Nexus 1000V Series switch: one port profile for the service VLAN and one port profile for the HA VLAN (you will be configuring the Cisco VSG IP address on the Cisco VSG so that the Cisco Nexus 1000V Series switch can communicate with it)

Table 2-3 Your Cisco VNMC and Cisco VSG Information for Use Later During Installation

Item

Type

Your Information

1

Cisco VSG name—Unique within the inventory folder and up to 80 characters long

2

Hostname—Where the Cisco VSG will be installed in the inventory folder

Task 1—Installing the Cisco VNMC Software from an OVA Template

As with most software application installations, there is an order of installation for the Cisco VNMC and the Cisco VSG that must be followed to ensure that all components work and communicate properly. This first task involves using an OVA Template to install the Cisco VNMC software.

BEFORE YOU BEGIN

Before starting the procedure, know or do the following:

•Verify that the Cisco VNMC OVA image is available in the vCenter

•IP/subnet mask/gateway information for the Cisco VNMC

•The admin password, shared_secret, hostname that you want to use

•The DNS server and domain name information

•The management port-profile name for the virtual machine (VM) (management)

Note The management port profile is the same port profile that is used for the VSM. The port profile is configured in the VSM and is used for the Cisco VNMC management interface.

•Make sure that the host has 2-GB RAM and 25-GB available hard-disk space

•Have a shared secret password available (this password is what enables communication between the Cisco VNMC, VSM, and Cisco VSG)

Note Parameters for choosing the Shared Secret password:- The password must be more than eight characters long. - Characters not supported for shared secret password: & ' " ` ( )<>|\ characters and all other characters supported on the keyboard. - The password should contain lowercase letters, uppercase letters, digits and special characters. - The password should not contain characters, repeated three or more times consecutively.- The new shared secret passwords should not repeat or reverse the username- The password should not be "cisco", "ocsic", or any variant obtained by changing the capitalization of letters therein.- The password should not be formed by easy permutations of characters present in the username or Cisco.

Step 13 Click Next.

Note Make sure that red text messages do not appear before you click Next. If you do not want to enter valid information in the red-indicated fields, use null values to fill those fields. If those fields are left empty or filled with invalid null values, the application does not power on.

•Make sure that IP connectivity between the VSM and the Cisco VNMC is okay.

Note If you upgrade your VSM, you must also copy the latest Cisco VSM policy agent image. This image is available in the Cisco VNMC image bundle to boot from a flash drive and to complete registration with the Cisco VNMC.

PROCEDURE

Step 1 On the VSM, enter the following commands:

vsm# configure terminal

vsm(config)# vnm-policy-agent

vsm(config-vnm-policy-agent)# registration-ip 10.193.75.95

vsm(config-vnm-policy-agent)# shared-secret Example_Secret123

vsm(config-vnm-policy-agent)# policy-agent-imagevnmc-vsmpa.1.0.1j.bin

vsm(config-vnm-policy-agent)# exit

vsm(config)# copy running-config startup-config

vsm(config)# exit

Step 2 Check the status of the VNM policy agent configuration to verify that you have installed the Cisco VNMC correctly and it is reachable by entering the show vnm-pa status command.

This example shows that the Cisco VNMC is reachable and the installation is correct:

Step 9 Add the VLANs created for the Cisco VSG data and Cisco VSG HA interfaces as part of the allowed VLANs into the uplink port-profile. Use the configure command to enter global configuration mode.

vsm# configure

Step 10 Enter the following configuration commands:

vsm(config)# port-profile type ethernet uplink

vsm(config-port-prof)# switchport trunk allowed vlan add 100, 200

vsm(config-port-prof)# exit

vsm(config)#

To end the session, press Ctrl-Z.

Task 5—Installing the Cisco VSG from an OVA Template

Once you have installed the Cisco Virtual Network Management Center (Cisco VNMC), configured the Cisco VNM policy agent on the VSM, and prepared the Cisco VSG port profiles by creating the VLANs that will be used, you now must install the Cisco VSG.

For this example, the OVF Template is used to install a Cisco VSG in standalone mode.

BEFORE YOU BEGIN

Before starting the procedure, know or do the following:

•Make sure that the Cisco VSG OVA image is available in the vCenter.

•Cisco VSG-Data and Cisco VSG-ha port profile are created on VSM.

•Management port-profile (management)

Note The management port profile is the same port profile that is used for the VSM. The port profile is configured in the VSM and is used for the Cisco VNMC management interface.

a. In the HaId field, enter the high-availability identification number for a Cisco VSG pair (value from 1 through 4095).

b. In the Passwordfield, enter a password that contains at least one uppercase letter, one lowercase letter, and one number.

c. In the Management IP Address section, do the following:

–In the ManagementIpV4 field, enter the IP address for the Cisco VSG.

–In the ManagementIpV4 Subnetfield, enter the subnet mask.

d. In the Gateway field, enter the gateway name.

e. In the VnmcIpV4 field, enter the IP address of the Cisco VNMC.

f. In the SharedSecret field, enter the shared secret password defined during the Cisco VNMC installation.

g. In the ImageName field, enter the VSG VNM-PA image name (vnmc-vsgpa.1.0.1j.bin)

Step 16 Click Next.

Note Make sure that red text messages do not appear before you click Next. If you do not want to enter valid information in the red-indicated fields, use null values to fill those fields. If those fields are left empty or filled with invalid null values, the application does not power on.

Now that you have the Cisco VNMC and the Cisco VSG successfully installed with the basic configurations (completed through the OVA File Template wizard), you should configure some of the basic security profiles and policies.

The Cisco VSG and VSM information should be listed in the Clients pane.

Configuring a Tenant on the Cisco VNMC

Tenants are entities (businesses, agencies, institutions, and so on) whose data and processes are hosted on virtual machines (VMs) on the virtual data center. To provide firewall security for each tenant, the tenant must first be configured in the Cisco VNMC.

Step 1 From the Cisco VNMC top toolbar, click the Tenant Management tab.

a. In the Name field, enter a name for the security profile; for example, sp-web.

b. In the Description field, enter a brief description of this security profile.

Step 4 Click OK.

Configuring a Compute Firewall on the Cisco VNMC,

The compute firewall is a logical virtual entity that contains the device profile that you can bind (assign) to a Cisco VSG virtual machine. The device policy in the device profile is then pushed from the Cisco VNMC to the Cisco VSG. Once this is complete, the compute firewall is in the applied configuration state on the Cisco VNMC.